227 – Display access notification

Summary

The system must notify, upon any access attempt, that access to the system is only available for authorized users.

Description

Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. Whenever a non-authenticated actor attempts to access those resources, the system must notify them that the resources are only available to authorized users.

Supported In

Essential: True

Advanced: True

References

• OWASP10-A7. Identification and authentication failures
• CERTJ-OBJ10-J. Do not use public static nonfinal fields
• NYSHIELD-5575_B_4. Personal and private information
• MITRE-M1036. Account use policies
• SANS25-13. Improper authentication
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
• CMMC-AC_L2-3_1_9. Privacy & security notices
• FEDRAMP-AC-8. System use notification
• FEDRAMP-SI-5. Security alerts, advisories, and directives
• LGPD-19_II-1. Data Subjects Rights
• IEC62443-IAC-1_11. Unsuccessful login attempts
• IEC62443-IAC-1_12. System use notification
• WASC-W_01. Insufficient authentication
• ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
• CWE25-287. Improper authentication

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image
• 006 – Authentication mechanism absence or evasion
• 095 – Data uniqueness not properly verified
• 099 – Non-encrypted confidential information - S3 Server Side Encryption

Last updated

2024/02/05